Secure systems contain information that must be protected from unauthorized external observation and control. Unauthorized external access, either via hardware state change or modification of information stored in the hardware, or access of information stored in the hardware, must be prevented.
Historically, disc drives have multiple communications ports in addition to the drive's host interface port. Such ports include drive serial ports, embedded trace module ports, and Joint Test Action Group (JTAG) ports. These ports are used in the manufacture, development, and debugging of the disc drives. To facilitate their intended purpose, in the past, such ports have been specifically designed to be easily accessible.
Drive serial ports provide the primary connection for manufacturing tests. The drive serial port is used for an initial download of firmware in manufacturing and lab environments, and for initial code downloads to uninitialized printed circuit board assemblies. These ports serve as the primary drive interface to test systems, and are used for initial interrogations, prior to activation of the host interface.
The embedded trace module (ETM) is a module that is tightly coupled to the microprocessor. It is configured by the JTAG port, and stores program flow and data trace information. This information is streamed out of the chip via a set of pins on an application specific integrated circuit (ASIC) called the ETM port. This port is an output only port.
The JTAG port is a standard port used throughout the ASIC industry. There are many off-the-shelf tools designed for connection and communication with JTAG ports. The uses of the JTAG port include: boundary scan and other tests by ASIC manufacturers; configuration and command emulation; basic emulation/interrogation mechanisms; and as a hot-plug for in-situ interrogation of electronic devices.
Scan test procedures are set up to allow for both controllability and observability of the internal state and storage elements contained within hardware systems. Scan test hardware can be used to facilitate extraction of protected information, or to change the state of system hardware in order to change the operability of a subsystem.
A fuse or other permanently alterable component can be used to disable the scan chain after production testing. However, the use of a fuse or other permanently alterable component requires additional cost. In addition, once the scan chain is disabled, it can no longer be used for additional testing. The alterable component must have a permanent state change or an attack on that component may allow access to the scan chain.
Access can also be limited by several other techniques. For example, the outputs of targeted storage elements can be gated when in the scan test mode to prevent observability during the capture phase of a scan test. The inputs of targeted storage elements can be forced to a known value when in the scan test mode to prevent controllability during the capture phase of scan test. Targeted storage elements can be removed from the scan chain to prevent controllability and observability during the scan phase of the scan test.
Combinations of gating outputs, forcing inputs, and removing targeted storage elements from the scan chain requires that such elements be identified and that the intended restrictions are not circumvented due to design flows or design tool issues. Thorough verification that a storage element is non-controllable, non-observable, and non-scannable is difficult. In addition, the storage elements will no longer be testable using scan testing. These techniques allow for scan testing in the non-secure portions of a design, rather than excluding an entire design subsystem from scan test.
Non-scan test methodologies such as built-in self-test can be used. Non-scan methodologies are viable alternatives, but are difficult to automate and usually require additional cost due to the test circuitry. Depending on the type of circuitry that is being tested, built-in self-test may, or may not, provide adequate test coverage. Built-in self-test coverage must also be verified on a design-by-design basis, with the exception of certain classes of devices, such as memory built-in test systems.
The goal of the port hardening is to secure the ports, but still allow access by authorized personnel for initialization, debug, test, and interrogation of the drive. To achieve this goal, it is desirable to: secure external hardware entry points to the drive; allow access to selected test functions via the JTAG interface; allow access to progressive levels of hardware by authorized personnel for development, debug, and interrogation; protect the secrecy of the user's clear-text, prevent unintended access to secret information stored in the hardware (such as keys) and prevent control of the hardware that would allow a user to circumvent security features, even in debug situations; and overall, provide the same level of access for drive development and debug as in previous drives.
With disc drives containing secure information, the ports must be secured to allow only authorized access, for manufacture and debug purposes. More specifically, the ports must be blocked from malicious entities that could gain value by discovering secrets through these ports.